Much like the Cambridge Analytica scandal, it seems Facebook exploited a permissions loophole.

News

Facebook hasn’t yet woken up from the ongoing PR nightmare brought on by Cambridge Analytica, and it may already be facing yet another: an Ars Technica investigation found that Facebook collected and stored data on Android phone users’ calls and texts, including phone numbers and length of calls.

The thing is, it doesn’t yet appear that Facebook broke any laws or used data without permission; rather, the data seems to have come by way of another unclear permission opt-in for Facebook apps. It’s shady, for sure, but the method may not be illegal or even nefarious (Facebook says it’s all aimed at improving users’ experience).

But the fact that we’re once again talking about it shows how far our trust in Facebook has fallen.

Cambridge Analytica was able to scrape data from millions of users because Facebook’s privacy rules at the time allowed its app to gather information not just from users, but also from their friends (of course, most Facebook users didn’t know that at the time).

Facebook was able to store call and text data from Android phones (but not other models) through a similar loophole, Ars Technica‘s investigation suggests. If Android users downloaded Facebook apps, like Messenger, in 2015, they granted those apps permission to access their contacts, and included call and message logs by default. Though Android later changed this permission structure, Facebook and other apps could continue to access calls and texts by specifying that they were written to the earlier software. That loophole stayed open until October 2017, when Google updated the way Androids stored their data.

Android users could purge that data, but they first had to know it was being collected. What’s more, Ars Technica found that even when they did so, contacts remained in the Facebook app’s contact management tool.

In a blog posted on March 25, Facebook retorted with a “fact check” of these claims, stating that call and text logging is only an opt-in feature that Android users have to specifically agree to when they install Messenger or Facebook Lite.

Yet Ars Technica states that this contradicts users’ experiences. Reporter Sean Gallagher notes that he never installed Messenger on his Android device, only the Facebook app, and that he never opted into call or SMS collecting. Yet there are still call logs from the time that Facebook was installed. That seems to be because opt-in was the default mode when those apps were installed.

These back-to-back scandals also hint at something much more unsettling: that there could be more Cambridge Analyticas, more violations of users’ trust.

We haven’t yet learned about just how much data Facebook has collected — or is still collecting — about its users using sketchy privacy agreements. Indeed, the Federal Trade Commission announced on March 26 that it is opening an investigation into Facebook’s privacy practices, which could signal there are more reveals about the social media company ahead.